CVE-2015-6280

2015-09-27T22:59:12

ID CVE-2015-6280Type cveReporter NVDModified 2017-01-04T14:33:45

Description

The SSHv2 functionality in Cisco IOS 15.2, 15.3, 15.4, and 15.5 and IOS XE 3.6E before 3.6.3E, 3.7E before 3.7.1E, 3.10S before 3.10.6S, 3.11S before 3.11.4S, 3.12S before 3.12.3S, 3.13S before 3.13.3S, and 3.14S before 3.14.1S does not properly implement RSA authentication, which allows remote attackers to obtain login access by leveraging knowledge of a username and the associated public key, aka Bug ID CSCus73013.

All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2017

{"result": {"cisco": [{"id": "CISCO-SA-20150923-SSHPK", "type": "cisco", "title": "Cisco IOS and IOS XE Software SSH Version 2 RSA-Based User Authentication Bypass Vulnerability", "description": "A vulnerability in the SSH version 2 (SSHv2) implementation of the public key authentication method of Cisco IOS and IOS XE Software could allow an\nunauthenticated, remote attacker to bypass user authentication.\n\nThe\nvulnerability is due to a flaw in the implementation of the SSHv2 public key authentication method, also known as Rivest, Shamir, and Adleman (RSA)-based user authentication. An attacker could exploit this\nvulnerability by authenticating to an affected system configured\nfor SSHv2 RSA-based user authentication using a crafted private key. The attacker must know a valid username configured for RSA-based user\nauthentication and the public key configured for that user to exploit\nthis vulnerability.\n\nA successful exploit could\nallow the attacker to bypass user authentication and log in with the privileges of the user or with the privileges configured for the virtual teletype (VTY) line. Depending on the configuration of the user and of the VTY line, the\nattacker may obtain administrative privileges on the system. The\nattacker cannot use this vulnerability to elevate privileges.\n\nA vulnerability in the SSH version 2 (SSHv2) protocol implementation of Cisco IOS and IOS XE Software could allow an\nunauthenticated, remote attacker to bypass user authentication. \n\nSuccessful exploitation could allow the attacker to log in with the privileges of the user or the privileges configured for the Virtual Teletype (VTY) line. Depending on the configuration of the user and of the vty line, the attacker may obtain administrative privileges on the system. The attacker cannot use this vulnerability to elevate privileges.\n\nThe attacker must know a valid username configured for Rivest, Shamir, and Adleman (RSA)-based user authentication and the public key configured for that user to exploit this vulnerability. This vulnerability\naffects only devices configured for public key authentication method, also known as an RSA-based user authentication feature. \n\nCisco has released software updates that address this vulnerability. Workarounds for this vulnerability are not available; however administrators could temporarily disable RSA-based user authentication to avoid exploitation. This advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-sshpk[\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-sshpk\"]\n\nNote: The September 23, 2015, release of the Cisco IOS and IOS XE Software Security Advisory bundled publication includes three Cisco Security Advisories. All the advisories address vulnerabilities in Cisco IOS Software and Cisco IOS XE Software. Individual publication links are in Cisco Event Response: September 2015 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication at the following link:\nhttp://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep15.html[\"http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep15.html\"]", "published": "2015-09-23T16:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-sshpk", "cvelist": ["CVE-2015-6280"], "lastseen": "2017-09-26T15:33:36"}], "openvas": [{"id": "OPENVAS:1361412562310105674", "type": "openvas", "title": "Cisco IOS and IOS XE Software SSH Version 2 RSA-Based User Authentication Bypass Vulnerability", "description": "A vulnerability in the SSH version 2 (SSHv2) protocol implementation of Cisco IOS and IOS XE Software could allow an\nunauthenticated, remote attacker to bypass user authentication. \n\nSuccessful exploitation could allow the attacker to log in with the privileges of the user or the privileges configured for the Virtual Teletype (VTY) line. Depending on the configuration of the user and of the vty line, the attacker may obtain administrative privileges on the system. The attacker cannot use this vulnerability to elevate privileges.\n\nThe attacker must know a valid username configured for Rivest, Shamir, and Adleman (RSA)-based user authentication and the public key configured for that user to exploit this vulnerability. This vulnerability\naffects only devices configured for public key authentication method, also known as an RSA-based user authentication feature. \n\nCisco has released software updates that address this vulnerability. Workarounds for this vulnerability are not available; however administrators could temporarily disable RSA-based user authentication to avoid exploitation. This advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-sshpk\n\nNote: The September 23, 2015, release of the Cisco IOS and IOS XE Software Security Advisory bundled publication includes three Cisco Security Advisories. All the advisories address vulnerabilities in Cisco IOS Software and Cisco IOS XE Software. Individual publication links are in Cisco Event Response: September 2015 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication at the following link:\nhttp://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep15.html\n", "published": "2016-05-10T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105674", "cvelist": ["CVE-2015-6280"], "lastseen": "2017-07-02T21:13:04"}, {"id": "OPENVAS:1361412562310105640", "type": "openvas", "title": "Cisco IOS and IOS XE Software SSH Version 2 RSA-Based User Authentication Bypass Vulnerability", "description": "A vulnerability in the SSH version 2 (SSHv2) protocol implementation of Cisco IOS and IOS XE Software could allow an\nunauthenticated, remote attacker to bypass user authentication. \n\nSuccessful exploitation could allow the attacker to log in with the privileges of the user or the privileges configured for the Virtual Teletype (VTY) line. Depending on the configuration of the user and of the vty line, the attacker may obtain administrative privileges on the system. The attacker cannot use this vulnerability to elevate privileges.\n\nThe attacker must know a valid username configured for Rivest, Shamir, and Adleman (RSA)-based user authentication and the public key configured for that user to exploit this vulnerability. This vulnerability\naffects only devices configured for public key authentication method, also known as an RSA-based user authentication feature. \n\nCisco has released software updates that address this vulnerability. Workarounds for this vulnerability are not available; however administrators could temporarily disable RSA-based user authentication to avoid exploitation. This advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-sshpk\n\nNote: The September 23, 2015, release of the Cisco IOS and IOS XE Software Security Advisory bundled publication includes three Cisco Security Advisories. All the advisories address vulnerabilities in Cisco IOS Software and Cisco IOS XE Software. Individual publication links are in Cisco Event Response: September 2015 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication at the following link:\nhttp://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep15.html\n", "published": "2016-05-03T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105640", "cvelist": ["CVE-2015-6280"], "lastseen": "2017-07-02T21:12:54"}], "nessus": [{"id": "CISCO-SA-20150923-SSHPK-IOSXE.NASL", "type": "nessus", "title": "Cisco IOS XE SSHv2 RSA-Based User Authentication Bypass (CSCus73013)", "description": "The remote Cisco IOS XE device is missing a vendor-supplied security patch, and is configured for SSHv2 RSA-based user authentication. It is, therefore, affected by a flaw in the SSHv2 protocol implementation of the public key authentication method. An unauthenticated, remote attacker can exploit this, via a crafted private key, to bypass authentication mechanisms. In order to exploit this vulnerability an attacker must know a valid username configured for RSA-based user authentication and the public key configured for that user.", "published": "2015-10-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=86250", "cvelist": ["CVE-2015-6280"], "lastseen": "2017-10-29T13:44:47"}, {"id": "CISCO-SA-20150923-SSHPK-IOS.NASL", "type": "nessus", "title": "Cisco IOS SSHv2 RSA-Based User Authentication Bypass (CSCus73013)", "description": "The remote Cisco IOS device is missing a vendor-supplied security patch, and is configured for SSHv2 RSA-based user authentication. It is, therefore, affected by a flaw in the SSHv2 protocol implementation of the public key authentication method. An unauthenticated, remote attacker can exploit this, via a crafted private key, to bypass authentication mechanisms. In order to exploit this vulnerability an attacker must know a valid username configured for RSA-based user authentication and the public key configured for that user.", "published": "2015-10-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=86249", "cvelist": ["CVE-2015-6280"], "lastseen": "2017-10-29T13:36:59"}]}}